threat-centric security james weathersby sr mgr, cyber security engineers and architects

Threat-Centric Security

James Weathersby

Sr Mgr, Cyber Security Engineers and Architects

Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

The Security Problem

Changing Business Models

Changing Business Models

Dynamic Threat Landscape

Dynamic Threat Landscape

Complexity and Fragmentation

Complexity and Fragmentation


The Industrialization of Hacking

20001990 1995 2005 2010 2015 2020

Viruses1990–2000

Worms2000–2005

Spyware and Rootkits2005–Today

APTs CyberwareToday +

Hacking Becomesan Industry

Sophisticated Attacks, Complex Landscape

Phishing, Low Sophistication

‟Would you do security differently if you knew you were going to be compromised?


The New Security Model

BEFOREBEFORE

DiscoverEnforce Harden


AFTERAFTER

ScopeContain

Remediate

ScopeContain

Remediate

Attack ContinuumAttack Continuum

Network Endpoint Mobile Virtual Cloud

Detect Block Defend

Detect Block Defend

DURINGDURING

Point in Time Continuous


Visibility and ContextVisibility and Context

Firewall

App Control

VPN

Patch Mgmt

Vuln Mgmt

IAM/NAC

IPS

Antivirus

Email/Web

IDS

FPC

Forensics

AMD

Log Mgmt

SIEM

The New Security Model

BEFOREBEFORE



AFTERAFTER

ScopeContain

Remediate

ScopeContain

Remediate

Attack ContinuumAttack Continuum

Detect Block Defend

Detect Block Defend

DURINGDURING


Lessons of the Attack Continuum

Security Technologies have a Scope of Application

Due to Scope, there can be no Silver Bullet technologies

An advanced, modern approach to security will share information and capabilities across all phases of the Attack Continuum


Network-Integrated,Broad Sensor Base,

Context and Automation

Continuous Advanced Threat Protection,

Cloud-Based Security Intelligence

Agile and Open Platforms,

Built for Scale, Consistent Control,

Management

Strategic Imperatives


Visibility-Driven Threat-Focused Platform-Based


Need Both Breadth and Depth


BREADTHBREADTH

DEPTHDEPTH

Who What Where When How


You Can’t Protect What You Can’t See

Network Servers

Operating Systems

Routers and Switches

Mobile Devices

Printers

VoIP Phones

Virtual Machines

Client Applications

Files

Users

Web Applications

Application Protocols

Services

Malware

Command and Control

Servers

Vulnerabilities

NetFlow

NetworkBehavior

Processes


?

Threat-Focused


Detect, Understand, and Stop Threats

?

Collective Security Collective Security Intelligence Intelligence

Threat Threat IdentifiedIdentified

Event HistoryEvent History

How

What

Who

Where

When

ISE + Network, Appliances (NGFW/NGIPS)

ContextContextAMP, CWS, Appliances

RecordedRecorded

EnforcementEnforcement


Continuous Advanced Threat Protection

ISE + Network, Appliances (NGFW/NGIPS)

How

What

Who

Where

When

Collective Security Collective Security Intelligence Intelligence

AMP, CWS, Appliances

EnforcementEnforcement

Event HistoryEvent History

AMP, Threat Defense

Continuous AnalysisContinuous AnalysisContextContext


Today’s Security Appliances

Context- Aware

Functions

Context- Aware

FunctionsIPS

FunctionsIPS

FunctionsMalware

FunctionsMalware

Functions

VPNFunctions

VPNFunctions

Traditional Firewall

Functions

Traditional Firewall

Functions


Reduce Complexity and Increase Capability

Collective Security IntelligenceCollective Security Intelligence

Centralized Centralized Management Management

Appliances, VirtualAppliances, Virtual

Network Control Network Control PlatformPlatform

Device Control Device Control PlatformPlatform

Cloud ServicesCloud ServicesControl PlatformControl Platform

Appliances, Appliances, VirtualVirtual

Host, Mobile, VirtualHost, Mobile, Virtual HostedHosted


Management

Security Services and Applications

Security Services Platform

Infrastructure Element Layer

Platform-Based Security Architecture

Common Security Policy & Management

Common Security Policy and ManagementCommon Security Policy and Management

OrchestrationOrchestration

Security Security Management APIsManagement APIs

Cisco ONE Cisco ONE APIsAPIs

Platform Platform APIsAPIs

Cloud Intelligence Cloud Intelligence APIsAPIs

Physical AppliancePhysical Appliance VirtualVirtual CloudCloud

Access Access ControlControl

Context Context AwarenessAwareness

Content Content InspectionInspection

Application Application VisibilityVisibility

Threat Threat PreventionPrevention

Device API – OnePK, OpenFlow, CLIDevice API – OnePK, OpenFlow, CLI

Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider)Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider)

Route – Switch – Compute Route – Switch – Compute ASIC Data PlaneASIC Data Plane Software Data PlaneSoftware Data Plane

APIs APIs

Cisco Security ApplicationsCisco Security Applications Third Party Security ApplicationsThird Party Security Applications


Enforcement delivered from the Cloud

Distributed Enforcement

Cloud ConnectedNetwork

Collective Security Intelligence

Telemetry Data Threat Research Advanced Analytics

Mobile Router Firewall

3M+3M+Cloud webCloud web

security userssecurity users

6GB6GBWeb traffic Web traffic

examined, examined,

protected every protected every

hourhour

75M75MUnique hits every Unique hits every

hourhour

10M10MBlocks enforced Blocks enforced

every hourevery hour


CLOUD-BASED THREAT INTEL & DEFENSE

ATTACKSAPPLICATIONREPUTATION

SITEREPUTATION MALWARE

COMMON POLICY, MANAGEMENT & CONTEXT

COMMONMANAGEMENT

SHAREDPOLICY

ROLES BASEDCONTROLS

NETWORK ENFORCED POLICY

ACCESS FW IPS VPN WEB EMAIL

APPLIANCES ROUTERS SWITCHES WIRELESS VIRTUAL CO

NT

RO

LV

ISIB

ILIT

Y

Open Source to the Community: OpenAppID


What is Snort?

Snort® is an open source network intrusion prevention and detection system (IDS/IPS).– Snort engine– Snort rules language

Created in 1998 by Martin Roesch, developed by Sourcefire.– Sourcefire was acquired by Cisco Systems on October 7th,

2013 Snort combines the benefits of signature, protocol,

and anomaly-based inspection. Snort is the most widely deployed IDS/IPS

technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.

See more at http://www.snort.org. Never designed to be application aware

http://www.snort.org/

http://www.snort.org/


The Application Problem

With a closed

approach, it’s hard

for a network

security team to

extend detection to

bespoke apps that

only exist within that

customers network

or geography

There are more

‘apps’ today than

ever before; it’s an

impossible task for

any one vendor to

develop all

detections and keep

pace with app

innovation

Volume Closed

Without an open approach

collaboration is impossible.

Therefore the sharing and validation of

detection content is stymied

Isolation

Little User Benefit From A Closed Approach


Open Source Security Philosophy

Build with the

community to solve

complex security

problems

Engage with users

and developers to

strengthen their

solutions

Community Collaboration

Demonstrate

technical

excellence,

trustworthiness and

thought leadership

Trust

Complex Security Problems Solved Through Open Source


OpenAppID Overview

What is OpenAppID?

An open source application-focused detection language that enables users to create, share and implement custom application detection.

Key AdvantagesNew simple language to detect apps Reduces dependency on vendor release cyclesBuild custom detections for new or specific (ex. Geo-based) app-based threats Easily engage and strengthen detector solutionsApplication-specific detail with security events

Advanced Malware Protection


Advanced Malware Protection Deployment

Dedicated Advanced Malware Protection (AMP) appliance

Advanced Malware Protection for FirePOWER (NGIPS, NGFW)

FireAMP for hosts, virtual and mobile devices

Complete solution suite to protect the extended network


Advanced Malware Detection

One-to-One

Signature-based, 1st line of defense

One-to-One

Signature-based, 1st line of defense

Fuzzy FingerprintingFuzzy Fingerprinting

Advanced AnalyticsAdvanced AnalyticsMachine Learning

Analyzes 400+ attributes for unknown malware

Machine Learning

Analyzes 400+ attributes for unknown malware

Detection lattice considers content from each engine for real time file disposition

Cloud-based delivery results in better protection plus lower storage & compute burden on endpoint

Algorithms identify polymorphic malware

Algorithms identify polymorphic malware

Combines data from lattice with global trends

Combines data from lattice with global trends


Retrospective Security

Continuous Analysis - Retrospective detection of malware beyond the event horizon

Trajectory – Determine scope by tracking malware in motion and activity

File Trajectory – Visibility across organization, centering on a given file

Device Trajectory – Deep visibility into file activity on a single system

Always Watching… Never Forgets… Turns Back Time


Outbreak ControlMultiple ways to stop threats and eliminate root causes

Simple and specific controls, or Context rich signatures for broader control

Cloud & Client Based Cloud & Client Based

SimpleCustom

Detections

SimpleCustom

Detections

AdvancedCustom

Signatures

AdvancedCustom

Signatures

ApplicationBlocking

Lists

ApplicationBlocking

Lists

CustomWhiteLists

CustomWhiteLists

Fast&

Specific

Fast&

Specific

FamiliesOf

Malware

FamiliesOf

Malware

GroupPolicyControl

GroupPolicyControl

TrustedApps &Images

TrustedApps &Images

Device Flow Device Flow Correlation / Correlation / IP BlacklistsIP Blacklists

Device Flow Device Flow Correlation / Correlation / IP BlacklistsIP Blacklists

Stop Connections to Bad Sites

Stop Connections to Bad Sites

Cloud & Client Based Cloud & Client Based


File AnalysisFast and Safe File Forensics

VRT powered insight into Advanced Malware behavior Original file, network capture and screen shots of malware execution Understand root cause and remediation

Advanced malware analysis without advanced investment

FireAMP &Clients

SourcefireVRT

Sandbox Analysis

4E7E9331D22190FD41CACFE2FC843F







Indicators of CompromiseBig data spotlight on systems at high risk for an active breach

Automated compromise analysis & determination

Prioritized list of compromised devices

Quick links for quick root cause analysis and remediation


Only Cisco Delivers

Continuous Capability

Complexity Reduction

Point-in-Time and Contiuous

Protection Across the

Network and Data Center

Fits and Adapts

to Changing Business Models

whereever the Threat

Manifests

Global Intelligence

With Context

Detects and Stops

Advanced Threats

Advanced Threat

ProtectionUnmatched

Visibility

threat-centric security james weathersby sr mgr, cyber security engineers and architects

Documents

cisco andor

fragmentation slide

enforcement slide

timecontinuous slide

idcisco public visibility

attack continuum slide

idcisco public need

idcisco public lessons